CIA Created Toolkit for Hacking Hundreds of Routers Models

CIA Created Toolkit for Hacking Hundreds of Routers Models

After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series that supposedly contains CIA-made hacking tools the organization claims it received from hackers and agency insiders.

Today’s dump includes the documentation for a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models.

The tool is by far one of the most sophisticated CIA malware frameworks in the CIA’s possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim’s network.

CherryBlossom installed via tainted firmware updates

The most complex part of using CherryBlossom is by far deploying the tool on a target’s routers. This can be done by a field operative, or remotely using a router flaw that allows CIA operators to install new firmware on the targeted device.

Internally, CherryBlossom is made up of different components, each with a very precise role:

FlyTrap – beacon (compromised firmware) that runs on compromised deviceCherryTree – command and control server where FlyTrap devices reportCherryWeb – web-based admin panel running on CherryTreeMission – a set of tasks sent by the C&C server to infected devices

According to the CherryBlossom manual, CIA operators can send “missions” to infected devices from the CherryTree C&C server via the CherryWeb panel.

CherryBlossom supports over 200 router models

According to the CIA docs, FlyTraps can be installed on both WiFi routers and access points. There is a separate document that lists over 200 router models that CherryBlossom can target, most of which are older models. This 24-page document is not dated, but the rest of the CherryBlossom manuals are — between 2006 and 2012.

You’ll find a list of all WiFi equipment vendors that were included in this document at the bottom of this article. For the full vendor-series list, please refer to the original WikiLeaks document here.

In addition, French security researcher X0rz noticed a small detail that might help investigators track down CherryBlossom installations. According to the tool’s installation guide, the default URL for the CherryWeb control panel is is “https://CherryTree-ip-address/CherryWeb/” (e.g.: https://10.10.10.10/CherryWeb/). Scanning the Internet for CherryWeb web folders will reveal how many CherryBlossom installations are currently deployed online.

Tool co-developed with US nonprofit?

WikiLeaks claims the CIA co-developed CherryBlossom together with a US nonprofit named Stanford Research Institute (SRI International), but SRI’s name only appears in one document — the manual for a tool named Sundew, a Linux-based wireless scanner used to identify the make and model of wireless devices. It is unclear at this moment what was SRI’s role.

In May, WikiLeaks published documents revealing that US cyber-security company Siege Technologies had helped the CIA develop a tool called Athena, a versatile implant (CIA term for “malware”).

Unlike the Shadow Brokers, who dumped the actual hacking tools they claim to have stolen from the NSA, WikiLeaks only published the CherryBlossom documentation, without dumping the actual tool.

You can read our previous WikiLeaks Vault 7 coverage here. Below is a list of the most notable WikiLeaks Vault 7 dumps: